Replies: 1 comment 2 replies
-
|
These are good questions, but the short answer is that the CA renewal script does not currently handle this. Once you have updated the token and restarted all your nodes, the old CA can be cleaned out of the bundles, and A PR would be welcome, if anyone is interested in handling this. |
Beta Was this translation helpful? Give feedback.
-
|
What do you mean by "restarted all your nodes"? Restart k3s and k3s-agent service? And you confirm that pods don’t have to be restarted? Thank you very much for your answer! |
Beta Was this translation helpful? Give feedback.
-
|
Pods would need to be restarted as well, otherwise there's no guarantee that things will load the updated cluster CA bundles. If you know that everything you're running supports dynamic cert reloading then you could get away with just restarting the services, but I wouldn't bet on that being the case. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I used the following documentation https://docs.k3s.io/cli/certificate#rotating-self-signed-ca-certificates to rotate the self-sifgned CAs in my K3S cluster (with the cross-signed certificate).
These are certificates before rotation:
And after the rotation:
As mentioned in the K3S documentation (https://docs.k3s.io/cli/certificate#checking-expiration-dates), there are 2 lines for each certificate before the CA rotation. After this rotation, there are 5 lines for each certificate (due to the old CA, the cross-signed CA, the new CA, the intermediate CA and the leaf).
Thanks in advance
Beta Was this translation helpful? Give feedback.
All reactions